b'March 24, 2000\nAudit Report No. 00-012\n\n\nSpecial Report: FDIC\'s Year 2000\nEfforts\n\x0cFederal Deposit Insurance Corporation                                                            Office of Audits\nWashington, D.C. 20434                                                               Office of Inspector General\n\n\n   DATE:            March 24, 2000\n\n   TO:              John F. Bovenzi\n                    Deputy to the Chairman and Chief Operating Officer\n\n                    Donald C. Demitros\n                    Director\n                    Division of Information Resources Management and Chief Information Officer\n\n                    James L. Sexton\n                    Director\n                    Division of Supervision\n\n                    Mitchell Glassman\n                    Director\n                    Division of Resolutions and Receiverships\n\n                    Arleas Upton Kea\n                    Director\n                    Division of Administration\n\n\n\n   FROM:            Steven A. Switzer\n                    Deputy Inspector General\n\n   SUBJECT:         Special Report on FDIC\xe2\x80\x99s Year 2000 Efforts (Audit Report No. 00-012)\n\n\n   Beginning in February 1997, the Office of Inspector General (OIG) engaged in a comprehensive\n   assessment of the Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) efforts to ensure year 2000 (Y2K)\n   readiness of both the financial institutions that it supervises and its internal systems. As a result of\n   vigorous actions taken by the Corporation, the FDIC successfully transitioned to the new millennium.\n   During the rollover weekend and to date, the banking institutions supervised by the FDIC have\n   experienced no major disruptions, and the Corporation\xe2\x80\x99s internal operations have continued\n   uninterrupted. Although the Corporation\xe2\x80\x99s Y2K efforts continue, the majority of the Corporation\xe2\x80\x99s\n   work is complete. We are issuing this special report following the culmination of our Y2K audit efforts\n   on March 7, 2000.\n\n   This report primarily focuses on the positive actions undertaken by the Corporation in addressing the\n   uncompromising and unprecedented technological challenge posed by the date change to the year\n   2000. The OIG believes that the Corporation would be well served if many of the initiatives\n\x0cimplemented to address Y2K were carried forward and transferred to other aspects of corporate\nactivities that impact several different divisions and offices. This report makes several broad\nrecommendations to that end.\n\n\nBACKGROUND\n\nDuring the course of our year 2000 audit work, we reviewed all phases of the FDIC\xe2\x80\x99s Y2K program\nfor both its supervisory and internal efforts using U.S. General Accounting Office (GAO) and Federal\nFinancial Institutions Examination Council (FFIEC) guidance and other generally accepted practices to\nensure that the FDIC adhered to a rigorous and structured approach to decrease its Y2K risks. We\ninitiated our work in February 1997 by reviewing the FDIC\xe2\x80\x99s Y2K awareness program. We concluded\nthat the FDIC had effectively communicated the need to address the Y2K problem, implemented an\neffective strategic plan, and developed needed Y2K policies and procedures for its role as a financial\ninstitution regulator and for its internal programs. Concluding that the FDIC\xe2\x80\x99s Y2K project appeared\nto be on schedule and appropriate progress was being made, we expanded the scope of our audit work\nto include a more comprehensive review of the FDIC\xe2\x80\x99s supervisory role in ensuring that the financial\ninstitutions it regulates would be Y2K compliant.\n\nFDIC\xe2\x80\x99s Y2K Supervisory Efforts\n\nIn reviewing the FDIC\xe2\x80\x99s Y2K supervisory work, we made 37 visits to Division of Supervision (DOS)\nfield offices and reviewed 469 Y2K assessments of financial institutions to ensure that Y2K\nexamination results, ratings, and oversight of financial institutions were accurate, complete, and\nconsistent. We also reviewed and provided input on the effectiveness of the Corporation\xe2\x80\x99s customer\nawareness efforts by visiting 14 banks to observe how the banks were informing their customers of the\nbanks\xe2\x80\x99 Y2K readiness. We obtained literature from the banks and compared it to suggested Y2K\ntopics developed by the FFIEC for banks communications\xe2\x80\x99 with consumers. We also conducted an\nInternet search of bank Web sites containing Y2K information and similarly analyzed this information.\nIn total, we accessed 64 institution Web sites to perform this evaluation. We also reviewed 91 quality\nassurance reviews of on-site assessments covering a 5-month\nperiod -- a program that DOS adopted in response to the audit team\xe2\x80\x99s suggestion to provide an\nadditional level of independent review and a method of confirming Y2K ratings. In preparing for the\nY2K rollover event, we worked closely with DOS, reviewing event management plans, observing\nsimulation exercises and Y2K tracking system tests, and providing input to DOS\xe2\x80\x99s event management\nplanning and implementation efforts.\n\nFDIC\xe2\x80\x99s Internal Y2K Efforts\n\nAs part of our review of the FDIC\xe2\x80\x99s internal program for solving the Y2K problem, we monitored the\nCorporation\xe2\x80\x99s five-phased structured program to bring all information technology, including software,\nhardware, telecommunications, and embedded chips into Y2K compliance. This effort included\nreviewing the FDIC\xe2\x80\x99s information technology inventories; the development of policies and procedures\nfor testing, configuration management, and contingency planning; the FDIC\xe2\x80\x99s processes for assessing\nover 800 internal applications; the renovation and testing of those applications that were not Y2K\n                                                  2\n\x0ccompliant; and the implementation of Y2K-compliant software. We also performed independent Y2K\ntesting of selected application systems. Further, during the FDIC\xe2\x80\x99s preparations for the Y2K rollover,\nwe reviewed the Division of Information Resources Management\xe2\x80\x99s (DIRM) action plan to ensure that\nit addressed all needed activities and included adequate planning for contingencies.\n\nOIG Audit Focus and Approach\n\nWe performed our audit work in accordance with generally accepted government auditing standards.\nAlthough our audit focus was primarily on DOS and DIRM, we also reviewed other corporate Y2K\nefforts. We reviewed and commented on the Division of Resolutions and Receiverships\xe2\x80\x99 (DRR) event\nmanagement planning and related simulation exercises, rollover plans for the Division of Compliance\nand Consumer Affairs and the Office of Corporate Communications, and corporate-wide initiatives to\nprepare for the Y2K rollover. During the rollover weekend, we observed and documented activities at\nthe DOS, DRR, and DIRM communication centers, as well as the FDIC Event Management\nCommunication Center.\n\nWe adopted a unique communication approach for this audit. We communicated process\nimprovement opportunities to FDIC management through briefings and advisory memorandums. We\nprovided this information as it was developed so that it would offer the greatest benefit to the\nCorporation. We issued nine advisory memorandums, three addressing our observations and\nsuggestions on the FDIC\xe2\x80\x99s supervisory efforts, four addressing the FDIC\xe2\x80\x99s internal efforts, and two\naddressing both supervisory and internal efforts. We also summarized and provided FDIC\nmanagement with best practice observations noted during our nationwide review of DOS\xe2\x80\x99s supervisory\nefforts. FDIC management responded promptly to the issues and suggestions resulting from our work.\n\nWe also prepared testimony on the status of our Y2K audit activities for the FDIC Inspector General\xe2\x80\x99s\n(IG) appearance before the Committee on Banking and Financial Services, United States House of\nRepresentatives. In that testimony, the IG explained the status of Y2K activities at the FDIC and the\nOIG\xe2\x80\x99s role in ensuring that the FDIC and financial institutions were making reasonable progress in\nsolving the Y2K problem. We also, along with DOS and other corporate management, met with\nCongressional staff on two occasions to discuss the status of the FDIC\xe2\x80\x99s supervisory efforts.\n\nMeeting the Challenge\n\nPreparing for the year 2000 was a most challenging endeavor for the Corporation. The Corporation\xe2\x80\x99s\napproach was to follow the five-phase, structured approach and rigorous program management\nprocess developed by the GAO and other recognized information technology experts. The phases\ncovered the awareness, assessment, renovation, validation, and implementation of the FDIC\xe2\x80\x99s Y2K\nprogram. The FDIC, in partnership with the other members of the FFIEC, developed a similar\nmethodology to ensure that the financial institutions it supervises were prepared for the century date\nchange.\n\nOverall, the FDIC expended over $105 million in personnel, hardware, software, and contracted costs\nthrough January 31, 2000 to ensure the Y2K readiness of its internal systems and operations and the\nfinancial institutions that it supervises. The OIG expended over 2,200 staff days reviewing and\n                                                   3\n\x0cproviding feedback on the Corporation\xe2\x80\x99s activities in an effort to ensure overall Y2K success. As a\nresult of the FDIC\xe2\x80\x99s commitment to this endeavor, the financial institutions generally experienced\nbusiness as usual during and after the rollover, with only minor problems that were quickly corrected.\nIn addition, the public\xe2\x80\x99s confidence in the banking system was maintained. On the internal side, the\nFDIC\xe2\x80\x99s investments resulted in a successful change to the year 2000 for the Corporation\xe2\x80\x99s information\ntechnology resources and other benefits that will extend into future operations. These benefits include\naccurate hardware, software, and data exchange inventories; and enhanced information technology\npolicies and procedures that, if continued for all related DIRM operations, can improve the FDIC\xe2\x80\x99s\noverall information technology program.\n\n\nRESULTS OF AUDIT\n\nDuring our audit, we proactively provided management with suggestions for process improvements.\nOn the supervisory side, we provided suggestions for (1) ensuring the consistency of Y2K assessment\nratings, including issuing clarifying guidance and requiring examiners to fully develop and document\nassessment conclusions; (2) improving information contained in DOS\xe2\x80\x99s Y2K tracking system; (3)\ncommunicating Y2K assessment results in a timely manner;\n(4) following up with institutions to ensure that they had completed testing; (5) ensuring institutions\nhad completed their contingency plans; and (6) implementing an independent review process for the\nY2K assessment reports and related work papers.\n\nWith respect to the Corporation\xe2\x80\x99s internal systems, we suggested (1) updating information technology\ninventories to identify duplicative hardware and software, (2) improving the mission- critical\napplication contingency planning process, (3) expanding the process used to certify applications for\nY2K compliance, (4) implementing version control procedures for all computer platforms, (5)\ndeveloping a business continuity and contingency plan, (6) finalizing and formalizing testing policies\nand procedures, and (7) correcting specific date-related issues discovered during our independent\nverification and validation testing.\n\nThe Corporation was successful in its efforts to transition smoothly to the year 2000, both for the\nfinancial institutions it supervises and for its internal information technology. Through its Y2K\npreparations, the FDIC learned many lessons that can benefit the Corporation both in future endeavors\nand in its daily operations. The Corporation summarized lessons learned, benefits derived, and next\nsteps or initiatives that could be incorporated into the FDIC\xe2\x80\x99s normal business processes in a document\nentitled Y2K \xe2\x80\x93 A Retrospective Look, dated January 21, 2000. This document is an interdivisional look\nat the FDIC\xe2\x80\x99s Y2K efforts and contains our input from an audit perspective.\n\nWe believe that some practices initiated during Y2K could provide long-term benefits to the\nCorporation. The issues identified by our office and the Corporation that provide the greatest\nopportunity for continued improvements include the following:\n\n\xe2\x80\xa2   maintaining and periodically updating DOS\xe2\x80\x99s database of service providers, software vendors, and\n    affiliated banks to facilitate solutions in the event an institution experiences problems with a\n    servicer or vendor-supplied product;\n                                                   4\n\x0c\xe2\x80\xa2   stressing to supervised institutions the importance of maintaining adequate business resumption and\n    contingency plans and monitoring their maintenance of such plans;\n\n\xe2\x80\xa2   ensuring that internal manuals and procedures that provide operational guidance remain current;\n\n\xe2\x80\xa2   maintaining accurate and complete information technology inventories for the FDIC\'s hardware,\n    software, and telecommunications resources;\n\n\xe2\x80\xa2   maintaining up-to-date and comprehensive operating procedures for FDIC buildings;\n\n\xe2\x80\xa2   maintaining a repository containing information on the FDIC\'s external data exchange partners,\n    including points of contact, data formats, and frequencies of exchange;\n\n\xe2\x80\xa2   maintaining an up-to-date corporate-wide business continuity and contingency plan;\n\n\xe2\x80\xa2   maintaining and periodically validating the accuracy and completeness of contingency plans for\n    mission-critical application systems;\n\n\xe2\x80\xa2   adopting and updating the expanded Y2K configuration management and version control program\n    for all information technology platforms;\n\n\xe2\x80\xa2   incorporating the testing policies and procedures developed for Y2K into continuing FDIC policy;\n    and\n\n\xe2\x80\xa2   enhancing DOS\xe2\x80\x99s quality assurance review program through an independent review of examination\n    reports and supporting documentation to validate examination conclusions.\n\nThe following synopses support the benefits of sustaining the improvements listed above.\n\nDatabase of Service Providers, Software Vendors, and Affiliated Banks\n\nIn preparing for potential Y2K rollover disruptions, DOS developed a database of service providers,\nsoftware vendors, and affiliated banks. By doing so, DOS would be able to identify potentially affected\nbanks in the event a service provider or software vendor experienced problems. Maintaining the\ncompleteness and accuracy of this database could aid DOS in its future supervision of financial\ninstitutions.\n\nAn additional element that could aid in the oversight of financial institutions is an inventory to track\nvendor-supplied application systems used by financial institutions and the versions of such applications.\n Information on a financial institution\xe2\x80\x99s use of servicers and software vendors, including which\napplications and versions the institution uses could be obtained during examinations and provided to a\ncentral point for use in updating the database. A periodic review of the application versions could then\nbe performed to ensure that the financial institutions have installed any necessary application changes\nfor their mission-critical processing.\n                                                    5\n\x0cFinancial Institution Business Resumption and Contingency Plans\n\nPrior to initiating their Y2K preparations, many financial institutions had limited contingency or disaster\nrecovery plans. As a result of the Y2K regulatory requirements developed by the FDIC and other\nregulators, financial institutions developed a greater awareness of the importance of adequate business\nresumption and contingency plans in the event of business system disruptions. By continuing to stress\nthe importance of maintaining, updating, and periodically testing these business resumption and\ncontingency plans and verifying such actions by the banks, the FDIC can continue to foster an effective\nsafeguard for both the financial institutions and the FDIC itself, as insurer.\n\nInternal Manuals and Procedures\n\nThe FDIC\xe2\x80\x99s Y2K project provided the Corporation\xe2\x80\x99s divisions with an opportunity to review and\nupdate internal manuals and procedures, resulting in improved operational guidance. For example,\nduring its Y2K preparations, DRR updated and reissued its closing manual. The FDIC can continue to\nbenefit from improved operational guidance by requiring regular updates to its internal manuals and\nprocedures.\n\nInformation Technology Inventories\n\nAs part of itsY2K program, DIRM developed and maintained inventories of information technology\nhardware, software, and computer applications. These inventories identified redundant, outdated, and\nduplicative software. Software licensing, maintenance, and operational costs can be reduced when\nsuch software is identified and eliminated. By maintaining accurate and complete IT inventories, the\nCorporation can more effectively manage its hardware, software and telecommunication resources.\n\nIn addition, many of the FDIC\xe2\x80\x99s internal applications were brought into Y2K compliance through the\nuse of a program coding technique known as \xe2\x80\x9cwindowing.\xe2\x80\x9d When employing windowing, rather than\nphysically expanding a date field to include a century date, a pivot year is used to logically identify the\ncentury. For example, if the data in a particular date field identifies the year as being between 50 and\n99, 19 is logically appended to the data. If the data field identifies the year to be between 00 and 49, 20\nis logically appended to the year. Although this temporary fix to the Y2K problem may continue to be\neffective for many years, the possibility exists that some applications may still be in service when the\nwindowing technique is no longer effective. The FDIC can take further advantage of the current\ninternal application inventory by adding data fields identifying the applications that employ the\nwindowing technique and the date when the usefulness of the technique expires. By documenting this\ninformation in a single source, the FDIC will have the information needed to correctly maintain its\napplication systems and better plan for their retirement.\n\nStandard Operating Procedures for FDIC Buildings\n\nTo ensure the Y2K readiness of its building systems, the FDIC documented inventories of its systems\nand also documented standard operating procedures reflecting the operation of each building. By\nensuring that the information related to each building is accurate and up-to-date, the FDIC can more\n                                                    6\n\x0ceffectively manage its facilities during normal operations and in the event of unusual circumstances.\nFurther, such actions would facilitate the transition of building operations in the event that new\ncontractors are selected in the future.\n\nData Exchange Inventory\n\nThe FDIC developed a current and complete inventory of external data exchange partners during the\nY2K assessment process. That process has allowed the FDIC to identify all of the external entities\nproviding data to or receiving data from the FDIC and the associated formats of that data. This\nactivity allowed the lines of communication between these data exchange partners to remain open and\nensured that effective data exchanges occurred. The development of the data exchange inventory was\na long and laborious process. Now that such an inventory has been developed, the FDIC should\nensure that the information that has been collected, such as points of contact, data formats, and\nfrequencies of exchange remain current. The information provided by the data exchange inventory will\nbecome increasingly important with anticipated increases in the use of electronic commerce throughout\nthe public and private sectors.\n\nCorporate Business Continuity and Contingency Plan\n\nDuring our Y2K review, we suggested that the FDIC develop a Y2K business continuity plan using\nguidance developed by the GAO. The Chairman of the FDIC\xe2\x80\x99s Y2K Oversight Committee agreed and\nrequested that our office monitor the development of a comprehensive corporate-wide business\ncontinuity plan that could serve as a basis for a Y2K-specific business continuity plan. The FDIC\xe2\x80\x99s\ndevelopment of its first comprehensive business continuity plan was labor intensive, involved all\ndivisions and offices, and resulted in an extensive, well conceived plan to address the FDIC\xe2\x80\x99s critical\nbusiness needs under all circumstances.\n\nTo realize continued benefits from the plan, the FDIC must ensure that the plan remains current by\nperiodically reassessing the FDIC\'s business process composition; updating priorities, dependencies,\nand service-level requirements; reassessing failure scenarios; updating core business process risks; and\ndefining a minimum acceptable level of core business process output. By revisiting the plan\nperiodically, the FDIC can revalidate mission-critical business processes, prioritize these processes, and\nassess the risks of not meeting its stated goals. An up-to-date business continuity planning process will\nalso assist the Corporation in developing its annual performance plan and the performance measures\nneeded to evaluate the Corporation\xe2\x80\x99s success in meeting its goals and meeting the requirements of the\nGovernment Performance and Results Act of 1993 (GPRA).\n\n\n\n\n                                                    7\n\x0cMission-Critical Application Contingency Plans\n\nDuring our involvement in the Y2K process, we reviewed and commented on the Corporation\xe2\x80\x99s\ndevelopment of contingency plans to support its 35 mission-critical applications. Because in many\ncases the FDIC had not previously developed plans of this type, it was difficult to develop plans that\nadequately provided for continued operations in the event that standard processes were unavailable.\nDevelopment of the plans was complex and time-consuming. However, the FDIC\xe2\x80\x99s efforts resulted in\nviable contingency plans for all of its mission-critical applications. By maintaining the plans, the FDIC\nwill be able to respond quickly to sustain critical business operations in the event that standard\nprocesses become unavailable.\n\nConfiguration Management and Version Control Program\n\nTo control the renovation of application systems during its Y2K program, DIRM developed and issued\na directive describing version control procedures for software operating on all of the FDIC\xe2\x80\x99s computer\nplatforms. In addition, DIRM acquired automated tools to assist in version control activities. The\nability to document and control the versions of software used in maintenance, development, and\nproduction through automated means will increase the efficiency of these operations and decrease the\nnumber of errors that can occur when moving applications from development to production. We\nbelieve that DIRM\xe2\x80\x99s Y2K directive was instrumental in its successful Y2K preparation by providing\ncontrols over needed application changes made to address the Y2K challenge and can continue to\nbenefit overall DIRM software development and maintenance efforts. DIRM\xe2\x80\x99s directive expired on\nMarch 1, 2000. However, DIRM has established a project to develop a standard configuration\nmanagement program using best practices from its Y2K experience and other sources.\n\nTesting Policies and Procedures\n\nDIRM expanded the FDIC\xe2\x80\x99s application testing policies and procedures and standardized the testing\nprocess to meet the demands of the Y2K program. These steps allowed the FDIC to systemically test\nthe myriad of applications that were renovated during the Y2K program. Continued implementation of\nthese expanded and standardized policies will enhance DIRM\xe2\x80\x99s testing of newly developed and\nmodified application systems supporting the Corporation\xe2\x80\x99s mission and assist DIRM in developing\nperformance measures to meet GPRA requirements.\n\nIndependent Review Process\n\nDuring the year 2000 assessment process, DOS issued procedures that included independent field\noffice reviews to promote consistency in examiner conclusions and to provide additional quality\ncontrols for examinations. The independent reviews were performed by individuals knowledgeable of\nthe year 2000 assessment process and included various reporting documents, a Y2K work program,\nY2K tracking system comments, and a Y2K questionnaire. DOS implemented the independent review\nprocess to address issues identified during our audit. To further validate examination conclusions,\nDOS implemented a quality assurance program. DOS selected statistical samples of \xe2\x80\x9cphase III\xe2\x80\x9d Y2K\non-site assessments performed over a 5-month period, and senior DOS personnel, independent of the\nY2K project, reviewed the related Y2K assessment documentation and concluded on the accuracy of\n                                                    8\n\x0cthe Y2K ratings assigned and the effectiveness of the oversight provided.\n\nWe believe that DOS can enhance its overall supervisory program by adopting similar independent\nreview processes to validate examiner conclusions developed during DOS\xe2\x80\x99s ongoing examination\nprocess.\n\n\nCONCLUSIONS AND RECOMMENDATIONS\n\nThe OIG will continue to work cooperatively with corporate officials in all divisions to sustain the\nimprovements already made so that the Corporation derives maximum benefit from its successful Y2K\nefforts. In that regard, we recommend overall that corporate officials continue the initiatives that\nworked so well during Y2K, keep the data or information related to the initiatives current, and develop\nthe necessary policies and procedures to support and sustain the initiatives going forward. In support\nof these goals, we recommend that corporate officials consider the following actions:\n\n\xe2\x80\xa2   Maintain and keep current a database of service providers, software vendors, and affiliated banks,\n    and add an application inventory element to the database that can be periodically reviewed to\n    ensure that institutions have implemented important application changes. (Director, DOS)\n\n\xe2\x80\xa2   Advise financial institutions on the importance of periodically updating and testing their business\n    resumption and contingency plans in the event of any possible future business disruptions and\n    monitor institutions\xe2\x80\x99 actions to do so. (Director, DOS)\n\n\xe2\x80\xa2   Ensure that FDIC divisions and offices continually update and maintain internal manuals and\n    procedures. (Deputy to the Chairman and Chief Operating Officer)\n\n\xe2\x80\xa2   Maintain current and standard information technology inventories and ensure that the internal\n    application inventory database is expanded to include an indicator identifying application systems\n    employing the windowing technique and the year that the usefulness of the windowing technique\n    will expire. (Director, DIRM)\n\n\xe2\x80\xa2   Maintain up-to-date standard operating procedures for FDIC buildings. (Director, DOA)\n\n\xe2\x80\xa2   Maintain a current inventory of the FDIC\xe2\x80\x99s data exchange partners, including points of contact,\n    data formats, and the frequencies of exchange. (Director, DIRM)\n\n\xe2\x80\xa2   Ensure that the Corporation\xe2\x80\x99s business continuity plan remains current. (Deputy to the Chairman\n    and Chief Operating Officer)\n\n\xe2\x80\xa2   Ensure that mission-critical application contingency plans remain viable. (Director, DIRM)\n\n\xe2\x80\xa2   Ensure that configuration management and version control procedures adopted during the Y2K\n    program are continued into the new millennium and are expanded to include all computer\n    platforms. (Director, DIRM)\n                                                    9\n\x0c\xe2\x80\xa2   Ensure that the expanded testing policies and procedures adopted for the year 2000 are continued\n    into the new millennium. (Director, DIRM)\n\nAdditionally, with respect to the examination process itself, we recommend continuation of the\ninitiative addressed below as providing an effective control mechanism for DOS\xe2\x80\x99s on-going work. This\ninitiative reinforces recommendations and management commitments resulting from prior OIG audit\nwork, including those contained in DOS Actions Regarding Internet Banking (Audit Report No. 99-\n043) and Audit of Implementation of the Risk-Focused Examination Process (Audit Report No. 98-\n086).\n\n\xe2\x80\xa2   Expand and refine DOS\xe2\x80\x99s independent quality assurance review program of examination reports\n    and supporting documentation to promote consistency and to validate examination conclusions.\n    (Director, DOS)\n\nBecause this is a special report, we did not request formal management comments. However, we met\nwith corporate officials to discuss the contents of this report and its recommendations.\n\n\nCORPORATE VIEWS\n\nWe are pleased to have received full agreement from all officials on the recommendations contained in\nthis report. Although we did not request formal management comments, we received responses from\nDIRM, DOS and DOA (Attachments I, II, III respectively). The responses confirm the officials\xe2\x80\x99\nagreement with the report contents and their commitment to continuing these initiatives going forward.\n\n\n\n\n                                                 10\n\x0c                                              CORPORATION COMMENTS                                  APPENDIX I\n\nFederal Deposit Insurance Corporation\n3501 North Fairfax Dr., Arlington, VA 22226                                  Division of Information Resources Management\n\n\n                                                                      March 17, 2000\n\n\n\nTO:                    Steven A. Switzer,\n                       Deputy Inspector General\n\n\n\nFROM:                  Donald C. Demitros, Director\n\nSUBJECT:              Plans for Continuing the Initiatives Identified in the OIG Draft Audit Report,\n                      \xe2\x80\x9cFDIC\xe2\x80\x99s Year 2000 Efforts\xe2\x80\x9d\n\n\nThank you for the opportunity to share our initiatives for transitioning best practices identified in the\nY2K Project into ongoing FDIC operations. I would also like to express my appreciation for the\nprofessional support and expertise provided by the Office of the Inspector General throughout the Y2K\neffort. The Inspector General\xe2\x80\x99s contributions to this project helped to ensure the complete success of\nthe FDIC\xe2\x80\x99s Y2K preparations.\n\nIn early February 2000, the Division of Information Resources Management (DIRM) Millennium IT\nStrategies Staff (MISS) completed a document entitled, \xe2\x80\x9cFDIC Year 2000 Silver Lining\xe2\x80\x9d which\naddressed lessons learned and potential process improvements for DIRM resulting from the Year 2000\nProject. As evidence of the close professional relationship maintained between DIRM and the Office\nof the Inspector General during the Y2K Project, we have concluded that the recommendations\noutlined in your draft audit report are generally consistent with the recommendations generated by\nDIRM MISS in their Silver Linings document.\n\nAs requested in the draft audit report, the following is a brief summary of DIRM\xe2\x80\x99s plans for continuing\nthe initiatives addressed in this report:\n\n\nINITIATIVES HIGHLIGHTED IN THE DRAFT REPORT\n\n\xe2\x80\xa2     Maintain current and standard information technology inventories and ensure that the internal\n      application inventory database is expanded to include an indicator identifying application systems\n      employing the windowing technique and the year that the usefulness of the windowing technique\n      will expire. (Director, DIRM)\n\n      This inventory has been uploaded to the corporate repository and is currently under the\n      responsibility of the DIRM Data Administration Unit. With regards to the addition of an\n      indicator identifying applications employing the windowing technique and it\xe2\x80\x99s expiration date,\n      based on DIRM\xe2\x80\x99s assessment, the only data for which the window is less than 30 is the NFC\n      personnel data base on which one field windows around 5. As such, the overall value of\n\n\n                                                         11\n\x0c    adding this indicator is extremely limited. Most of the data/applications which use windowing\n    are vendor products, such as Microsoft office products, which are periodically updated and\n    the technique improved or the window adjusted. Given the limited impact and risk, DIRM\n    will not be pursuing the addition of this indicator to the inventory.\n\n\xe2\x80\xa2   Maintain a current inventory of the FDIC\xe2\x80\x99s data exchange partners, including points of contact,\n    data formats and the frequencies of exchange. (Director, DIRM)\n\n    The inventory of FDIC data exchange partners including points of contact, data formats and\n    frequencies of exchange is being turned over to DIRM\xe2\x80\x99s Data Administration Unit for\n    ongoing maintenance within the Corporation.\n\n\xe2\x80\xa2   Ensure that mission critical application contingency plans remain viable. (Director, DIRM)\n\n    Maintenance of the mission critical application contingency plans is being folded into the\n    overall FDIC Business Continuity planning effort led by DOA. DIRM will follow the\n    schedule established under this effort to ensure timely updates and testing of these plans.\n\n\xe2\x80\xa2   Ensure that configuration management and version control procedures adopted during the Y2K\n    program are continued into the new millennium and are expanded to include all computer\n    platforms. (Director, DIRM)\n\n\xe2\x80\xa2   Ensure that the expanded testing policies and procedures adopted for the Y2K are continued into\n    the new millennium. (Director, DIRM)\n\n    With regards to the last two recommendations, DIRM has initiated an effort, currently called\n    "DIRM Testing, Configuration Management, and Version Control Improvement Analysis, to\n    address the lessons learned from Y2K. This effort will continue throughout 2000 and will include\n    detailed reviews of the DIRM testing environments, configuration management practices on all\n    platforms, current SDLC issues related to testing and configuration management, and a variety of\n    recent recommendations and efforts to address issues. This effort will be comprehensive with a\n    goal of determining were process reengineering will contribute to an overall goal of delivering\n    quality products which work the first time and are easy and inexpensive to maintain.\n\ncc: Carol Heindel\n    Wayne Gooding\n    Martha Adams\n    Janet Roberson\n    Larry Proctor\n\n\n\n\n                                                  12\n\x0c                                            CORPORATION COMMENTS                            APPENDIX II\nFederal Deposit Insurance Corporation\n550 17th Street, NW, Washington, DC 20429                                                Division of Supervision\n\n\n\n                                                         March 23, 2000\n\nTO:                  Steven A. Switzer\n                     Deputy Inspector General\n\n\n\n\nFROM:                James L. Sexton\n                     Director\n\nSUBJECT:             FDIC\xe2\x80\x99s Year 2000 Efforts (Audit No. 97-901)\n\n\nThe purpose of the memorandum is to respond to observations and recommendations delineated in\nyour February 29, 2000 draft report relating to the FDIC\xe2\x80\x99s Year 2000 efforts (Audit No. 97-901). The\nreport listed three observations and recommendations concerning work performed by the Division of\nSupervision (DOS). Those recommendations as well as DOS responses are presented below. They\nare listed in the order that they appear in the \xe2\x80\x9cConclusions and Recommendations\xe2\x80\x9d section of your\nmemorandum.\n\nOIG Recommendation 1: Maintain and keep current a database of service providers, software\nvendors, and affiliated financial institutions, and add an application inventory element to the database\nthat can be periodically reviewed to ensure that institutions have implemented important application\nchanges.\n\nDOS Response: The division currently maintains a database of service providers and financial\ninstitution with in-house computer systems in an Information Systems (IS) Examination Tracking\nSystem. Information in the database regarding service provider arrangements and/or software vendor\nrelationships is updated at each IS examination of a financial institution or service provider.\n\nThe database presently includes a core application inventory element where specific software version\nand release information is maintained. IS examination procedures require that the software release\nnumber in use by a finacial institution or service provider be documented at each examination. Also,\nexaminers conclude that all vendor-released updates have been installed or determine if there are\nlegitimate reasons why a release or update is not installed. The software version and release\ninformation is submitted with examination findings to the appropriate regional office where it is\nrecorded in the IS Examination Tracking System.\n\nOIG Recommendation 2: Advise financial institutions on the importance of periodically updating\nand testing their business resumption contingency plans in the event of any possible future business\ndisruption and monitor institution\xe2\x80\x99s actions to do so.\n\n\n                                                    13\n\x0cDOS Response: A July 14, 1997 Financial Institution Letter (FIL # 68-97), entitled "FFIEC\'s Revised\nPolicy Statement on Corporate Business Resumption and Contingency Planning," emphasized the\nimportance of business recovery planning to institutions and specifically instructed institutions to ensure\nbusiness resumption contingency planning and testing takes place (copy attached).\n\nAdditionally, the Division is currently working with the other FFIEC agencies to draft an interagency\nguidance paper discussing the lessons learned from the Year 2000 project. The guidance paper will,\namong other things, encourage financial institutions to conduct their own review of lessons from the\nYear 2000 effort and incorporate these lessons, where appropriate, in future risk management\npractices. One of the points addressed by the paper is the benefit of comprehensive contingency\nplanning. DOS will ensure that the FDIC Financial Institution Letter used to distribute this interagency\nguidance paper reminds financial institutions of the importance of periodically updating and testing\nbusiness resumption contingency plans in the event of any possible future business disruption.\n\nDOS examiners review business resumption contingency plans and testing documentation at each IS\nexamination. If these plans are not adequate or if periodic testing is not completed and documented,\nexaminers cite a deficiency and recommend corrective action.\n\nOIG Recommendation 3: Expand and refine DOS\xe2\x80\x99s independent quality assurance review program\nof examination reports and supporting documentation to promote consistency and to validate\nexamination conclusions.\n\nDOS Response: DOS is currently working with the Division of Research and Statistics (DRS) to\nenhance and refine its quality assurance program. DOS and DRS staff are working together to\ndetermine the extent of enhancement necessary. They are reviewing data such as the number of\nexamination reports completed by each region in 1999 to determine appropriate populations for future\nquality assurance reviews. Independent review of a random sample of examination reports and\nsupporting documentation will then be conducted by Internal Control and Review Section staff during\nRegional Office reviews and by Senior Examination Specialists or other designated Regional Office\nstaff during Field Office reviews.\n\n\nAttachment\n\ncc:     Michael J. Zamorski\n        John M. Lane\n        Simona L. Frank\n        Phyllis J. Zumbrun\n        Michael B. Benardo\n\n\n\n\n                                                    14\n\x0c                                   Financial Institution Letters\n                  Corporate Business Resumption and Contingency Planning\n\n                                                                                                   FIL-68-97\n                                                                                               July 14, 1997\nTO:           CHIEF EXECUTIVE OFFICER\nSUBJECT:      FFIEC\'s Revised Policy Statement on Corporate Business Resumption and Contingency\n              Planning\n\nThe interagency Federal Financial Institutions Examination Council (FFIEC) on March 26, 1997,\nadopted a revised policy statement on Corporate Business Resumption and Contingency Planning.\nThe policy statement is attached.\n\nThe revised statement continues to emphasize the importance of business recovery planning and\nexplains the goals associated with an effective business resumption and contingency plan. Revisions\nto the policy statement acknowledge the increased use of distributed computer environments and\nincreased reliance on external service providers for mission-critical bank activities. A financial\ninstitution\'s Board of Directors is responsible for ensuring that a comprehensive business resumption\nand contingency plan has been implemented.\n\nThe revision was conducted as part of the combined agency Community Development and Regulatory\nImprovement Act (CDRIA) effort to streamline agency regulations and written policies to improve\nefficiency, reduce unnecessary costs, eliminate unwarranted constraints on credit availability, and\nremove duplicative requirements.\n\nContingency plans are evaluated by examiners during regular supervisory reviews of the institution.\nFor more information, please contact your Division of Supervision Regional Office.\n\n                                                     Nicholas J. Ketcha Jr.\n\n                                                     Director\n\nAttachment (below)\n\nDistribution: FDIC-Supervised Banks (Commercial and Savings)\n\nNOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC\'s Public Information\nCenter, 801 17th Street, N.W., Room 100, Washington, D.C., 20434 (202-416-6940 or 800-276-6003).\n\n(ATTACHMENT)\n\n               CORPORATE BUSINESS RESUMPTION AND CONTINGENCY PLANNING\n\nTo: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior Management of each\nFFIEC Agency, and all Examining Personnel\n\nPURPOSE\n\nThis statement emphasizes to the board of Directors and senior management of each financial institution the\nimportance of corporate business resumption and information systems contingency planning functions. This\nincludes planning for the recovery of critical information systems processing and operations supported by\nexternal service providers. This statement also addresses issues that management should consider when\ndeveloping a viable contingency plan.\n\n\n\n                                                      15\n\x0cBACKGROUND\n\nInformation systems technology has evolved into a critical facet of the corporate structure of financial\ninstitutions. Transaction processing and business applications are no longer restricted to mainframe computer\nenvironments. The use of distributed platforms (including mid-range computers, client/server technology, and\nlocal and wide area networks) for mission-critical business functions expands the scope of contingency\nplanning.\n\nCorporate and customer services throughout financial institutions are now more dependent on direct access to\ninformation and accounts. This includes contemporary financial delivery systems and services such as PC-\nbanking, corporate cash management, and Internet promotion. These services represent key transactional,\nstrategic, and reputational issues for the financial institutions. Often these services depend on a combination of\ninternal and external information processing services. Outsourcing arrangements and other technology\nalliances involve unique considerations which also expand the boundaries of contingency planning.\n\nBusiness recovery planners must recognize this new environment and the risks it may pose to the financial\ninstitution. The importance of these operations and service units requires effective business recovery planning\nfrom a corporate-wide perspective.\n\nDEFINITION\n\nContingency planning is the process of identifying critical information systems and business functions and\ndeveloping plans to enable those systems and functions to be resumed in the event of a disruption. The\nprocess includes testing the recovery plans to ensure they are effective. During the testing process\nmanagement should also verify that business unit plans complement the information system plans.\n\nGOALS\n\nThe goal of an effective contingency plan and recovery process is to facilitate and expedite the resumption of\nbusiness after a disruption of vital information systems and operations. The principle objectives are to:\n\n    \xe2\x80\xa2    Minimize disruptions of service to the institution and its customers.\n\n    \xe2\x80\xa2    Ensure timely resumption of operations.\n\n    \xe2\x80\xa2    Limit losses to earnings and capital.\n\nIt is important for both financial institutions and their service bureaus to regularly assess risks associated with\nthe loss or extended disruption of business operations and to evaluate their vulnerability to those risks. To\nachieve contingency planning and business resumption goals and objectives, senior management should\nensure that:\n\n    \xe2\x80\xa2    Contingency plans are comprehensive and address all of the critical functions and operations in an\n         institution. This includes assessing the response capability of key disaster recovery service vendors\n         (e.g., the vendor(s) providing alternate processing sites; storage and transportation of back-up media\n         between the storage vendor, alternate processing site and the institution).\n\n    \xe2\x80\xa2    An effective business resumption and contingency plan has been coordinated with their information\n                                          1\n         processing and service providers.\n\n    \xe2\x80\xa2    Contingency plans are thoroughly tested at least annually.\n\n    \xe2\x80\xa2    Test results and recommendations from such testing are reviewed.\n\n    \xe2\x80\xa2    Appropriate corrective actions are implemented.\n\n                                                         16\n\x0cPOLICY\n\nThe board of Directors and senior management of each financial institution is responsible for:\n\n     \xe2\x80\xa2    Establishing policies and procedures, and assigning responsibilities to ensure that comprehensive\n          corporate business resumption, contingency planning, and testing takes place.\n\n     \xe2\x80\xa2    Annually reviewing the adequacy of the institution\'s business recovery and contingency plans and test\n          results.\n\n     \xe2\x80\xa2    Documenting such reviews and approvals in the board minutes.\n\nFurthermore, if the financial institution receives information processing from a service bureau, senior\nmanagement also has a responsibility to:\n\n     \xe2\x80\xa2    Evaluate the adequacy of contingency planning and testing for its service bureau.\n\n     \xe2\x80\xa2    Ensure that the institution\'s contingency plan is compatible with that of its service bureau.\n\nPlease refer to the FFIEC Information Systems Examination Handbook for specific guidance on developing an\norganization-wide contingency plan.\n\nRevised: March 1997\n\n1\n  This concern refers to situations where service bureaus are contracted to process core applications or\ncritical business lines. This is especially important to the Fedwire software application when the service\nprovider is not affiliated with the institution through at least 80 percent common ownership. The institution\nmust be able to continue its operations for these functional business lines if the service provider arrangement\nis terminated.\n\n    Last Updated 07/16/1999                                                              communications@fdic.gov\n\n                                            Sitemap | Search | Help | Home\n\n\n\n\n                                                         17\n\x0c                                             CORPORATION COMMENTS                            APPENDIX III\n          Federal Deposit Insurance Corporation\n          550 17th Street, NW, Washington, DC 20429                                        Division of Administration\n\n\n\n\n                                                                   March 23, 2000\n\nMEMORANDUM TO: Steven A. Switzer\n               Deputy Inspector General\n               Office of Inspector General\n\n\nFROM:                           Arleas Upton Kea\n                                Director, Division of Administration\n\nSUBJECT:                        Management Response to Draft Report: FDIC\xe2\x80\x99s Year 2000 Efforts\n\nThe Division of Administration (DOA) has completed its review of the draft report issued by the Office\nof the Inspector General (OIG) entitled FDIC\xe2\x80\x99s Year 2000 Efforts. Our review focused on those\nrecommendations in the report addressed to the DOA. Specifically, DOA addressed two\nrecommendations: 1) Standard operating procedures for FDIC buildings; and 2) The Corporation\xe2\x80\x99s\nbusiness continuity plan. DOA appreciates the intensive study performed by the OIG, and the\nreporting of positive actions undertaken by the Corporation in addressing the technological challenges\nposed by the Year 2000 date change.\n\nWe agree with the conclusions of the OIG study and are in the process of or have completed the\nrecommended changes. The report provides us with the necessary information to continue our efforts\nto effectively manage the FDIC\xe2\x80\x99s facilities.\n\nManagement Decision:\n\nRecommendation 1: Maintain up-to-date standard operating procedures for FDIC buildings.\n\nManagement Response 1: We agree with the recommendation. As discussed with the OIG during a\nmeeting with the DOA Facilities Management Section, the Standard Operating Procedures (SOPs) are\ncurrent and up-to-date. DOA will continue to maintain current SOPs for FDIC buildings.\n\nRecommendation 1: Ensure that the Corporation\xe2\x80\x99s business continuity plan remains current.\n\nManagement Response 1: We agree with the recommendation. In the fall of 1998, a Task Force\nwas created to develop the FDIC Business Continuity Plan (Plan). In April 1999, functional\nresponsibility was transferred to the DOA Security Management Section (SMS). In 1999, the DOA\nSMS engaged a Business Continuity Planning contractor to assist in better refining the overall\ncorporate Plan. During the second half of 1999, the Corporation\xe2\x80\x99s efforts were fully focused on Y2K\ncontingency planning which delayed further development of the overall Plan. Based on the lessons\nlearned from initial testing of the Plan and the Y2K planning effort, DOA SMS is currently in the\nprocess of coordinating with each Division to re-evaluate their critical business units and core business\n\n\n                                                      18\n\x0cprocesses and to identify those processes that cut across divisional lines or business units. Once the\ncritical business units and core business processes are identified, they will be integrated into a single\nplan structure. DOA SMS will also incorporate the communication process and notification and\nresponse procedures, developed during the Y2K planning effort, to further streamline the Plan as well\nas to detail the Plan\xe2\x80\x99s initial response and enterprise-wide communications procedures. As a result, the\nPlan will be more user friendly and better able to meet any business disruptions to the FDIC. DOA will\nalso continue to periodically reassess the FDIC\xe2\x80\x99s business continuity plan to revalidate its mission\ncritical business processes.\n\nIf you have any questions regarding the response, our point of contact for this matter is Andrew O.\nNickle, Audit Liaison for the Division of Administration. Mr. Nickle can be reached at\n(202) 942-3190.\n\n\ncc:     Mr. Deshpande\n        Mr. Kmetz\n\n\n\n\n                                                   19\n\x0c'